Malware Analysis Report

2025-03-15 07:45

Sample ID 240214-kzk37afd79
Target 9b4365f338e72a858161429f0ea14efc
SHA256 83ba7beca30e18fc57055c50165ef406691dc3d74ab90a8fc99752107978b25f
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

83ba7beca30e18fc57055c50165ef406691dc3d74ab90a8fc99752107978b25f

Threat Level: Known bad

The file 9b4365f338e72a858161429f0ea14efc was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

Loads dropped DLL

UPX packed file

Executes dropped EXE

Deletes itself

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-14 09:02

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-14 09:02

Reported

2024-02-14 09:04

Platform

win7-20231215-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe

"C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe"

C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe

C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/2552-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2552-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2552-2-0x00000000018F0000-0x0000000001A23000-memory.dmp

\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe

MD5 4b69c43871405277debfdc575628e5d0
SHA1 2377c68826be4a1b0ea6674aa603670a60e508fa
SHA256 6d801cb90e60a3db7a213b90f1404fb7c04643cf75a55bba9a0c8c7889124395
SHA512 4964d8abc786cb122f1241a7da570591aa228db801e59016574ebdd6db08bad1280eed7d74c3e8c16ff92acb25c119b0fc19a8bff366f18c4db19e27d543fe25

memory/1808-17-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1808-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2552-14-0x0000000003950000-0x0000000003E3F000-memory.dmp

memory/2552-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1808-19-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/1808-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/1808-24-0x0000000003410000-0x000000000363A000-memory.dmp

memory/1808-31-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-14 09:02

Reported

2024-02-14 09:04

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe

"C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe"

C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe

C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/6096-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/6096-2-0x0000000001DF0000-0x0000000001F23000-memory.dmp

memory/6096-1-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9b4365f338e72a858161429f0ea14efc.exe

MD5 904c01778f073048818c58aa60d530f8
SHA1 91b0f3254099c984916131f21f9f5c8fa0e10496
SHA256 c647594cab42dec1ffea5c9bf878b1c10996dfefbe185efc37111041dfeccd78
SHA512 a42e473fc47a9dadb3a46c73eaac140488cfb60dba86bf05e25b04cc696203c3024834c765d3f1c0f44efde8d40ce16468e530206026c56380e326e480f6a765

memory/6096-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3920-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3920-13-0x0000000001D90000-0x0000000001EC3000-memory.dmp

memory/3920-15-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3920-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/3920-20-0x0000000005690000-0x00000000058BA000-memory.dmp

memory/3920-28-0x0000000000400000-0x00000000008EF000-memory.dmp